AS-REQ using SPN

Andrew Bartlett abartlet at
Wed Nov 15 22:20:53 UTC 2017

On Wed, 2017-11-15 at 22:18 +0100, Ralph Böhme via samba-technical
> On Thu, Nov 16, 2017 at 06:51:54AM +1300, Andrew Bartlett wrote:
> > Can you show me the full LDIF for that account, and if at all possible
> > a network capture?  
> sure.
> dn: CN=Foo Foo,CN=Users,DC=riverside,DC=site
> sAMAccountName: foo
> sAMAccountType: 805306368

> userPrincipalName: foo/ at RIVERSIDE.SITE

> lockoutTime: 0

> servicePrincipalName: foo/

> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=riverside,DC=site
> dSCorePropagationData: 16010101000000.0Z
> lastLogonTimestamp: 131552130336033649


So that looks to me like it is using the userPrincipalName, not the
servicePrincipalName.  I've not seen this work unless the UPN is set
(and even then there appear to be restrictions based on the principal

I'll lock this down with some more tests, so far they indicate that the
userPrincipalName is the only reason it works, and only for name type


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list